b'                                                                      United tates Department of tate\n                                                                      and the Broadcasting Board of Governors\n\n                                                                      Office of Inspector General\n\n                                                                          DEC 1 5 2011\n  SENSITVE BUT UNCLASSIFIED\n\n  MEMORANDUM\n\n TO:                 IRM - Ms. Susan Swart\n\n FROM:               OIG - Harold W.      GeiSe~\n SUBJECT:            Memorandum Report - Improvements Needed in Information Technology\n                     Contingency Planning, ISP-I-12-04\n\n            The Office of Inspector General (OIG) identified issues with information technolo\n                           in 20 of the 50 ins                    (b) (5)\n(b) (5)\n\n\n\n\n         A properly documented and tested IT contingency plan has a direct impact on whether a\n bureau or post can operate effectively after an unforeseen incident. Information systems are\n vulnerable to a variety of disruptions, from short-term power outages or disk drive failures to\n equipment destruction. While some system vulnerabilities can be minimized, it is virtually\n impossible to eliminate all the risks to an information system. Effective IT contingency planning-\n including thorough testing of the plan-is essential, to mitigate the risk of system and service\n unavailability.\n\n            An IT   contingency planning process involves several steps:\n               \xe2\x80\xa2     developing a contingency planning policy;\n               \xe2\x80\xa2     conducting a business impact analysis;\n               \xe2\x80\xa2     identifying preventive controls;\n               \xe2\x80\xa2     creating contingency strategies;\n               \xe2\x80\xa2     performing test and training exercises; and\n               \xe2\x80\xa2     maintaining and updating the contingency planning document on a regular basis. I\n\n\n\n\n                                         SENSITIVE BUT UNCLASSIFIED\n\n\n\n  I   National Institute of Standards and Technology Special Publication 800-34, Revision 1, Chapter 3, Contingency\n      Planning Guide for Federal Information Systems, May 20 I O.\n\x0c                                        SENSITIVE BUT UNCLASSIFIED\n                                                    -2-\n\n          Proper IT contingency planning was crucial to several overseas posts that dealt with\n  unforeseen, catastrophic incidents in the last year. The earthquake and tsunami in Japan, for\n  example, highlighted the importance of post personnel reviewing IT operations and assessing which\n  critical functions and systems would be required in the event of an emergency. In a "lessons learned"\n  document prepared for the Bureau ofInformation Resource Management (IRM), Embassy Tokyo\n  cited preparation as a key to their ability to resume critical operations after the natural disaster. As\n  stated by Embassy Tokyo\'s information management officer, the level of advanced IT preparation\n  made it easier for them to set up their alternate communications site. In addition to having a\n  complete and pretested IT contingency plan, the embassy described the importance of having all\n  required equipment, contact information, and instructions ready and distributed. All these elements\n  are necessary for a smooth recovery.\n\n inspection Findings\n\n             Given the importance of maintaining telecommunications and IT operations in the aftermath\n                        .     OIG selected IT conti            . as an area of          . for 20 I 0 and\n           (b) (5)\n(b) (5)\n\n\n\n\n            (b) (5)\n (b) (5)                                                                             sts are requ    to\n  provide for an off-site storage location in a U.S. Goverrunent approved and controlled facility, to\n  minimize the potential for complete loss of programs and data in an emergency. In a catastrophic\n  event, it is imperative that posts have their backup media stored in another location, preferably one\n  that is not subject to the same envirorunental concerns as the primary location.\n            (b) (5)\n(b) (5)\n                                     According to 12 FAM 622.3-2 d., domestically, the system\n  manager-m coo mahon WI               information systems security officer and the data center\n  manager-will coordinate the IT contingency plan with the emergency action plan, to ensure that\n  any emergency response procedures specified in the contingency plan are consistent with the\n  emergency action plan. Abroad, the information management officer and the regional security\n  officer will coordinate both plans in conjunction with the data center manager and the system\n  manager to ensure consistency.\n\n\n\n\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n                                            -3-\n\n\n        In accordance with 12 F AM 613 .11 and 5 FAM 121.1, the information management officer\nis responsible for the overall management of contingency planning at overseas posts, including\nensuring that the IT contingency plan is fully coordinated with the post\'s emergency action plan.\nDomestically, the system owner is responsible for ensuring that contingency plans are developed and\nmaintained for each system and application, per 5 FAM 825 b.(3). However, in accordance with 5\nF AM 822 (2), the responsibility for contingency planning ultimately lies with IRM to ensure the\navailability of IT systems and operations that support the Department\'s diplomatic, consular, and\nmanagement operations.\n\n         The lack of a properly developed and tested IT contingency plan that is linked with overall\nemergency preparedness processes could be detrimental to a post\'s or bureau\'s recovery efforts\nfollowing an unforeseen incident. During the IT contingency planning process-including drafting,\ntesting, and updating-information management personnel are able to identify and address deficiencies.\nThe planning process also provides a sound training environment, enabling emergency personnel to\nbecome familiar with potential emergency situations. Without such a process, bureaus and posts are\nvulnerable to the loss of availability of network systems, data, and communications capabilities.\n\nA vailable Resources\n\n       The Department has several resources for employees seeking information on IT contingency\nplanning. These include an online Foreign Service Institute (FSI) course on developing, maintaining,\nand implementing an IT contingency plan. Contingency planning also is included in the FSI IRM\nTradecraft course, which focuses on the basic responsibilities of information management officers.\nAdditionally, IRM\'s Office oflnformation Assurance Intranet site has templates, frequently asked\nquestions, and basic guidance on contingency planning.\n\n        Even though these resources are readily available, the Department has not held assigned\npersonnel within bureaus and posts accountable for complying with the requirements for IT\ncontingency planning. IRM has no definitive means of ensuring that employees complete IT\ncontingency plans and address all elements identified in Department regulations. As mentioned in\nIRM\'s Office of Information Assurance Web site, system owners are currently required to provide\nIT contingency planning test results for reportable systems and applications as part their Federal\nInformation Security Management Act of2002 compliance. However, this requirement does not\napply to all bureaus and posts for their IT contingency planning components.\n\n        If IRM were to implement and enforce a tracking mechanism, it could help the Department\nensure that all responsible parties are developing, updating, and testing IT contingency plans.\nIncluding IT contingency planning requirements as a rating factor in the performance appraisals for\nresponsible system owners and information management personnel also would motivate responsible\nindividuals to fulfill this critical element in protecting the Department\'s networks and systems.\n\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n                                             -4-\n\n Including IT contingency planning requirements as a rating factor in the performance appraisals for\n responsible system owners and information management personnel also would motivate responsible\n individuals to fulfill this critical element in protecting the Department\'s networks and systems.\n\n         Further, the Department should include the completion and testing of IT contingency plans as\n factors in the methodology for determining risk scores for bureaus and posts, in applications such as\n iPost (a tool that allows authorized users to access enterprise network performance and system\n security monitoring data). Currently, the risk scores are calculated using elements such as patch\n management, antivirus, and cyber security awareness training statistics. If the Department were to\n include IT contingency planning as part of the risk scoring in iPost or another application, the\n information management personnel at bureaus and posts would have an additional incentive to\n comply with contingency planning requirements.\n\n Recommendation 1: The Bureau oflnformation Resource Management should implement and\n enforce a tracking mechanism to document whether or not bureaus and posts have complied with\n information technology contingency planning requirements. (Action: IRM)\n\n Recommendation 2: The Bureau of Information Resource Management should include the\n development and testing of contingency plans as criteria in its risk scoring methodology for site\n health of posts and bureaus. (Action: IRM)\n\n\n(b) (6)\n\n\n\n\n Enclosures:\n        Compliance Information and Instruction Sheet\n\n\n\n\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c(b) (5)\n\x0c(b) (5)\n\x0c'